Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migration 1.17.3 changes in 1.18.2 #242

Merged
merged 11 commits into from
Jun 19, 2024
Merged

Migration 1.17.3 changes in 1.18.2 #242

merged 11 commits into from
Jun 19, 2024

Conversation

mbrulatout
Copy link

@mbrulatout mbrulatout commented Jun 19, 2024
edited
Loading

  • api: non-connect endpoints give downstream connect informations
  • Get sidecar weights from node service if not specified
  • Set KnownLeader by default when streaming is activated
  • connect: re-add common name on secondary CA intermediate certificate
  • Add test to strip version to avoid any leading/trailing whitespaces/newlines
  • Add option in prepared query to skip local datacenter
  • Allow to override DeregisterCriticalServiceAfter for sidecar services
  • Connect: re-align root CA state if needed
  • audit: add audit logs for ACL/catalog/KV operations : 43c4b39 + 1548631
  • some linter fix
  • bump minor version to criteo2

@mbrulatout mbrulatout force-pushed the 1.18.2-criteo branch 2 times, most recently from 68b62a3 to b9664a9 Compare June 19, 2024 11:01
cpaillet and others added 9 commits June 19, 2024 13:01
@cpaillet
api: non-connect endpoints give downstream connect informations
cf4cee0 
provide enough connect information to use consul connect
@mougams
Get sidecar weights from node service if not specified
29c038e 
The sidecar service weight was set to default values if not
specified by use in connect block of service definition.
This patch aims of reusing the node service weights if no weights
is specified from connect definition block.
@PHBourquin
Set KnownLeader by default when streaming is activated
c4e7851 
This is not a real fix but will avoid breaking clients relying on this header

Change-Id: I21b93173f17d1187d8ca49f5869ef8cd4c8d21b5
@dclaisse
connect: re-add common name on secondary CA intermediate certificate
b0b71fd 
hashicorp#10424 introduced a regression,
because it removed common name also for secondary CA intermediate
certificate, which used the same code path. This violates RFC 5280,
which mandates that Issuer CN must not be empty and equal to Subject CN
of subordinate certificate. Partially revert this patch to fix consul
provider, and add a test case to prevent future regressions.
Add test to strip version to avoid any leading/trailing whitespaces/n…
5d33909 
…ewlines
@mougams
Add option in prepared query to skip local datacenter
b66b69d 
- Add option SkipLocalDatacenter in Failover section, defaulted to false,
which enable the possibility to never execute the query in the local
datacenter when set to true.
- Also when the option is enabled, if the local datacenter is listed in the
failover datacenters, execute the query locally instead of triggering remotely.
- Add more tests on prepared query

This patch solves issue described in hashicorp#3250
@mougams
Allow to override DeregisterCriticalServiceAfter for sidecar services
cfc9f92 
When no checks are defined for sidecar services, some default ones are
defined. But those checks don't have any user defined attributes.
In this patch, add feature to set from config the parameter
DeregisterCriticalServiceAfter for all connect default checks.
If none is defined by user, this attribute will be ignored
by consul, since 0 (default value) is ignored.
@dclaisse
Connect: re-align root CA state if needed
625727c 
This prevents state to drift if structs.CARoot gets modified and a new
field is added.
It is important to ensure results from /v1/connect/ca/roots, which
return data from state, are consistent. For instance, on a cluster
that has been setup in 2018, we observed empty ExternalTrustDomain,
as well as PrivateKeyType and PrivateKeyBits.
Without this patch, one would need to wait a rotation to fix state,
which happens every 5 years by default.
Also address TODO that was here now we have strong guarantees that
rootCA and activeRoot are the same, and add a test to ensure
idempotency.
audit: add audit logs for ACL/catalog/KV operations
a07d0c2 
Hook into each function and get all the return flows
to catch the error (if any) through a defer statement.
This requires small changes to declare some variables
before the defer block.

K/V values and policy rules are base64 encoded when adding an audit log entry
to avoid messing with our syslog setup which can't handle multi-line logs
@mbrulatout mbrulatout merged commit d1ecdf2 into 1.18.2-criteo Jun 19, 2024
36 checks passed
@mbrulatout mbrulatout deleted the migrate_1.17 branch June 19, 2024 12:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mougams mougams mougams approved these changes

@dclaisse dclaisse Awaiting requested review from dclaisse

@pierrecdn pierrecdn Awaiting requested review from pierrecdn

@cpaillet cpaillet Awaiting requested review from cpaillet

@manu-ns manu-ns Awaiting requested review from manu-ns

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mbrulatout @mougams @cpaillet @PHBourquin @dclaisse